Malicious PDF — malware analysis report

Static analysis result for SHA-256 059f88ed573d1f94…

MALICIOUS

PDF

108.7 KB Created: 2021-04-04 18:41:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17
MD5: 0153edac401762f4eca7aa0064105fed SHA-1: f02c75f1a7646229dd0e70c64d7984701d7384d9 SHA-256: 059f88ed573d1f945a5931e161d96e8a4d28d3a6ddb67f2a112c295a7a63cda0
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to disposable domains, indicating a link farm or SEO spam operation. The ML classifier and ClamAV detection strongly suggest malicious intent, likely phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9831

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/123?utm_term=folding+a+fitted+sheet+meaning PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4386091/normal_5ff5312f1bef3.pdfIn PDF document text
    • http://zerikasalokabef.iblogger.org/p90x3_lean_workout_schedule.pdfIn PDF document text
    • https://cdn.sqhk.co/risenulowo/cjbmjjg/alan_walker_magic_tiles_3.pdfIn PDF document text
    • https://penopamez.weebly.com/uploads/1/3/4/4/134496097/f83cb6e1a567.pdfIn PDF document text
    • https://cdn.sqhk.co/xuluriwu/ihigihj/how_to_update_huawei_health_app_android.pdfIn PDF document text
    • https://funiduned.weebly.com/uploads/1/3/4/7/134773133/tasiteki_xebazutewib_pojogajagaxeves.pdfIn PDF document text
    • https://cdn.sqhk.co/bofogarabu/bjcihhh/16516033767.pdfIn PDF document text
    • https://tujurexi.weebly.com/uploads/1/3/4/7/134743655/lewofuna.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414166/normal_603e24b881f3f.pdfIn PDF document text
    • http://lekiduzixixawuj.22web.org/the_pact_book_movie.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459463/normal_601f77f35ac4b.pdfIn PDF document text
    • https://cdn.sqhk.co/mifopanikil/cF86Y4K/suxafosakijixuxodom.pdfIn PDF document text
    • https://rurasudi.weebly.com/uploads/1/3/4/4/134485231/1058444.pdfIn PDF document text
    • https://cdn.sqhk.co/dupabeket/gjmijie/sorisimolekew.pdfIn PDF document text
    • https://teraxumafelenug.weebly.com/uploads/1/3/4/7/134747654/6e915dfcea2f6af.pdfIn PDF document text
    • https://cdn.sqhk.co/fulaxanew/gfkgckL/43452936446.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4417659/normal_60050c5faa9d2.pdfIn PDF document text
    • https://cdn.sqhk.co/jifonakilux/5ghLM2a/easy_draw_bowling.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://jidifulake.epizy.com/cambridge_11_listening_test_4_answer_key.pdfIn PDF document text
    • http://lejujafaroxe.rf.gd/mpsc_answer_key_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5228aa8f-9e6f-4c4e-90e4-c426adf85abf/32376091815.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/169e3a1d-2f3d-440a-be03-a3e73634d4e7/how_to_change_code_on_liftmaster_formula_1.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f0bc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF0BC 9172 bytes
SHA-256: c2bcdec29648568370d7387f9e4e86b132c55404d7cb459cd89029de6510ec86
font_01_sfnt_off00010fe9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10FE9 4968 bytes
SHA-256: 1df68cd428311f6095568b00d2c7dd2751d2c6154f09f6efcecd059bd2d480b7
font_02_sfnt_off000120a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x120A1 3376 bytes
SHA-256: b29bcae0eabd81feb3c09101f931946531abf503bfccb43d540e313a2f876332
font_03_sfnt_off00012d65.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12D65 4888 bytes
SHA-256: 9eb05a12b4ca38bbcf01a09c06b4b8a37c0d84bdea728bb9d5c596765813aa7b
font_04_sfnt_off00013d27.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13D27 16244 bytes
SHA-256: dd4bcabf04c28ef4876e4c09407bfc901aedea9a9e380fb193279bc78a7a534f
font_05_sfnt_off00016c78.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16C78 17468 bytes
SHA-256: 99688168281abbaadaaef87cbec12d06ae413ece21ccfff832150c5d66ec8ada
font_06_sfnt_off000185f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x185F3 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378
font_07_sfnt_off000193f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x193F3 3992 bytes
SHA-256: b72712216b96ad00e01ff0befa4777fbb83bad2fade88c96fa8998a0333f7a1c

Open this report in the interactive analyzer, or submit your own file for analysis.